an optimal statistical test for robust detection against interest...

Content Centric NetworkInterest flooding detection

Proposed Uniformly Most Powerful detectorEvaluation results

Conclusion & future work

An Optimal Statistical Test for Robust Detectionagainst Interest Flooding Attacks in CCN

Tan NGUYEN Remi COGRANNE Guillaume DOYEN

ANR DOCTOR project, number <ANR-14-CE28-000>Troyes University of Technology, France

{ngoc_tan.nguyen, remi.cogranne, guillaume.doyen}@utt.fr

14th IFIP/IEEE Symposium on Integrated Networkand Service Management 2015

T. Nguyen, R. Cogranne, G. Doyen




Outline

1 Content Centric Network

2 Interest flooding detection

3 Proposed Uniformly Most Powerful detector

4 Evaluation results

5 Conclusion & future work





Information Centric Network (ICN)

Internet usage keeps growing tremendouslyRecent efforts aiming to a clean-slate network for the future

ICN key concepts

Naming content object instead of using IP address

In-network caches

Ensure content integrity, authenticity

Natively solve part of problems: multicast, mobility support,IP address shortage ...





Content Centric Network (CCN)

Promising future network architectureCommunications by Interest and Data packets





Outline










Interest flooding

A Denial-of-Service variation in CCN environment

Attack principleOverload PIT with a large amount of Interests for non-existentcontent names, prevent router from processing Interests fromlegitimate user

Highly riskNon-existent name can be easily createdCan effect on large scale





Previous work

Proposed solutions against Interest flooding exist [1] [2] [3]A combination of both reliable detector and effectivecountermeasure still missing

Previous detection method’s drawbacks

Unclear threshold selection, usually based on experiences

⇒ Rigid performance, only valid in evaluated cases⇒ Costly to address different conditions

No expected theoretical performance

⇒ Achieved results under-optimal

Evaluate with easily detected cases

⇒ Unreliable and weak performance against challenge cases





Outline










Methodology

Statistical Hypotheses Testing with Neyman-Pearson approach

Assumptions

In ∼ Π(λ); Dn ∼ B(In; p0)

Parameters p0, λ constant, already known

Values of Dn statistically independent

Additional malicious Interests issued by attacker in ∼ Π(a)

Links’ and content providers’ capacity is sufficient





Method’s key concepts

False-alarm rate α: false positivesDetection power β: true positivesMiss-detection rate 1− β: false negativesUniformly Most Powerful (UMP) test is a test achievethe best β for a given αDetection threshold τ

Problems of previous workτ, α and β come after empirical data of particular cases andthe detector is not the uniformly most powerful





Proposed detection method

Proposed UMP detector

X =N∑

i=1

Xn =N∑

i=1

Dn − In.p0√In p0(1− p0)

Interface is{

normal if X ≥ τunder attack if X < τ

Threshold & expected detection power

τ = Φ−1(α)√

N

β = Φ

(Φ−1(α)

√N − Nµ1

σ1√

N

)T. Nguyen, R. Cogranne, G. Doyen




Outline










Evaluation setupReuse ndnSIM source code of competitor and modify it tointegrate all the configuration

Our competitorAfanasyev, Alexander, et al. "Interest flooding attack andcountermeasures in Named Data Networking." IFIP NetworkingConference, 2013. IEEE, 2013.





Approach relevance

-4 -3 -2 -1 0 1 2 3 τ10−3

10−2

10−1

100

Theoritical value of αTheoritical value of βEmpirical value of αEmpirical value of β

Figure: Theoretical and empirical α and β as a function of threshold τ .





Performance comparison

0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 α0

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9β(α)

Empirical of UMP test

Empirical of previous detector

Theoritical of UMP test

Figure: Overall performance of UMP test and the satisfaction ratioDn/In test.





Identifying challenge cases

0.7 0.72 0.74 0.76 0.78 0.8 0.82 0.84 0.86 0.88 p10-4

10-3

10-2

10-1

1−β(p)

Empirical result

Theoretical result

Figure: Empirical and theoretical 1− β of the UMP test, for a singlehost, as a function of p. Here α = 0.05, N = 1 and p0 = 0.85.





Potential improvement for challenge cases

0 2 4 6 8 10 12 14 16 18 N0.3

0.4

0.5

0.6

0.7

0.8

0.9

β(N)

Empirical result

Theoretical result

Figure: Empirical and theoretical β of the UMP test as a function ofsample size N. Here α = 0.05, p0 = 0.85 and p = 0.825.





Outline











The proposed detectorHas a clearly-defined, scalable thresholdThreshold independent of users’ behavior, adaptable to αHas better performance, even in some challenge casesProvide a reliable theoretical performanceMaster the trade-off between accuracy and detection delay

Future workAddress important-but-less-noticeable attack strategiesDevelop a mitigation strategy





Afanasyev, Alexander, Priya Mahadevan, Ilya Moiseenko, ErsinUzun, and Lixia ZhangInterest flooding attack and countermeasures in Named DataNetworkingIFIP Networking Conference pp. 1-9. IEEE, 2013.

Compagno, Alberto, Mauro Conti, Paolo Gasti, and Gene TsudikPoseidon: Mitigating Interest flooding DDoS attacks in NamedData NetworkingIEEE Conference on Local Computer Networks (LCN) pp.630-638. IEEE, 2013.

Dai, Huichen, Yi Wang, Jindou Fan, and Bin LiuMitigate ddos attacks in ndn by interest tracebackComputer Communications Workshops (INFOCOM WKSHPS)pp. 381-386. IEEE, 2013.


an optimal statistical test for robust detection against interest...

Documents